AirVPN on Synology

[SolidSnake007 0]

Hello Guys,

Interesting thread.  I may be a bit off topic here but it's certainly related.  I too am testing AirVPN on my synology and I can get it to connect fine but upon testing internet connectivity I get some strange behaviour.  Using a terminal session to my synology I issue some traceroute commands to some domains on the internet.  For instance, I don't seem to be able to resolve any domain names so looks like a dns issue. On the other hand, pings to public dns servers of google (8.8.8.8) or any other ip address, work fine so internet connectivity is there, no doubt.  Like many others my concern is that it uses the VPN connection and gateways to access the internet. When you see the below traceroute however, you see that latency is very high and it really takes a long time to perform this trace. I find it very strange.

 

traceroute 90.216.180.87
traceroute to 90.216.180.87 (90.216.180.87), 30 hops max, 60 byte packets
 1  10.8.0.1 (10.8.0.1)  19.494 ms  21.157 ms  21.170 ms
 2  46.19.137.113 (46.19.137.113)  21.324 ms  21.298 ms  21.297 ms
 3  31.7.63.1 (31.7.63.1)  20.993 ms  21.009 ms  20.997 ms
 4  190.211.252.57 (190.211.252.57)  21.039 ms  21.128 ms  21.172 ms
 5  80.255.14.121 (80.255.14.121)  21.092 ms  21.123 ms  21.121 ms
 6  81.95.15.213 (81.95.15.213)  26.945 ms  26.728 ms  25.988 ms
 7  213.46.179.5 (213.46.179.5)  28.585 ms  26.110 ms  26.133 ms
 8  84.116.134.9 (84.116.134.9)  27.013 ms 84.116.134.5 (84.116.134.5)  60.475 ms  60.494 ms
 9  84.116.140.190 (84.116.140.190)  26.827 ms  27.018 ms  27.046 ms
10  213.46.179.102 (213.46.179.102)  44.268 ms  44.285 ms  44.340 ms
11  * * *
12  * * *
13  * * *
14  90.216.180.87 (90.216.180.87)  52.565 ms  51.988 ms  57.223 ms
15  90.216.180.87 (90.216.180.87)  57.006 ms  61.442 ms  61.592 ms
 

This is a trace to a friend's IP address (changed it for privacy so don't bother ).  It eventually gets there but it takes like centuries.  Could it be just a server issue so I should go and try a different VPN gateway?  It looks like my internet bandwidth is throttled to the sub-zero point.

Anyway, with other VPN services I did manage to have a stable connection and have some bandwidth but this just feels like something is horribly wrong.

 

Thanks for your feedback!

 

SolidSnake007

[zhang888 1066]

What is exactly wrong with 25-60ms?

Your traceroute may take longer to display since your DNS doesn't work.

Use traceroute -n flag.

[sundi 8]

Hi SolidSnake007,

 

Your latency is fine (actually very good as per my results). I am getting 180-211ms in my results. But I am still happy with the download speed I am getting.

I think it varies a lot when you connect to an AirVPN server closest to your location vs a server located far from your location.

 

Here is my output:

traceroute -n 84.116.140.190
traceroute to 84.116.140.190 (84.116.140.190), 30 hops max, 60 byte packets
 1  10.4.0.1  180.189 ms  180.175 ms  180.183 ms
 2  178.162.198.124  180.197 ms  180.220 ms 178.162.198.125  180.227 ms
 3  178.162.223.144  180.232 ms 178.162.223.164  180.733 ms 178.162.223.136  183.897 ms
 4  46.165.255.122  183.934 ms 46.165.255.168  183.947 ms 46.165.255.98  183.953 ms
 5  46.165.255.115  191.488 ms 46.165.255.107  194.973 ms 46.165.255.109  193.205 ms
 6  213.46.177.89  194.098 ms  211.758 ms  211.490 ms
 7  * * *
 8  * * *
 9  84.116.140.190  187.591 ms  187.343 ms  188.990 ms
 

If you want to discuss how I have done my setup and want some configuration help, please let me know. I will try to help you.

[Mikeyy 49]

I have setup a script which checks for the VPN tunnel presence every 5 minutes. If VPN tunnel is not present the script will terminate the current stale session and recreate a new VPN connection.

 

Can you please share this reconnect script?

 

Concerning your problems with blocking Synology internet access, today I found solution for my self, but it's exact same problem as yours so I'm sharing it with you.

You need to be able to use iptables on your router (dd-wrt, merlin or tomato). Since I read you are using Merlin, check this: https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts

Use "firewall-start", create file named "firewall-start", make sure it's created for unix not windows, enter iptables inside, copy to jffs partition and mark as executable. It will start automaticly when router restarts.

 

#Use this order of commands because it executes in reverse order.
#This command will execute last, it kills all UDP requests.
iptables -I FORWARD -p udp -s 192.168.1.111 -j REJECT
#This command will execute second and will ACCEPT connection to your VPN on destination port 443 UDP
iptables -I FORWARD -p udp -s 192.168.1.111 -m multiport --dports 443 -j ACCEPT
#This command will execute first and will block all TCP source ports except those needed for web access
iptables -I FORWARD -p tcp -s 192.168.1.111 -m multiport ! --sports 5000,5001,6690 -j REJECT

 

Change 192.168.1.111 to you Synology LAN IP.

Change other ports, add or remove when you don't need.

Be careful to not assign some of those ports to download station BT ports, they must be different if you want to block them.

[sundi 8]

Thanks for the firewall list. I will try to implement it soon.

 

I am using the following script:

 

#VPN Check script modified & copied on May 3, 2016
#Script for checking every five minutes if VPN is up. It provides details like VPN is up since, data #received/sent, VPN IP & WAN IP.
#If VPN is not up it will report it in the log file and start it
#!/bin/sh
DATE=$(date +"%F")
TIME=$(date +"%T")
LogFile="/volume1/homes/dsm_reports/airvpn/check_airvpn_$DATE.log"
IPADDR=$(/sbin/ifconfig tun0 | grep 'inet addr' | cut -d: -f2 | awk '{print $1}')
PUBIP=$(curl -s icanhazip.com)
#PUBIP=$(curl -s ipinfo.io/ip)
#PUBIP=$(curl ifconfig.me)
RXDATA=$(/sbin/ifconfig tun0 | grep "bytes:" | cut -d: -f2 | awk '{print $1,$2,$3}')
TXDATA=$(/sbin/ifconfig tun0 | grep "bytes:" | cut -d: -f3 | awk '{print $1,$2,$3}')
UPTIME=$(grep $IPADDR /var/log/synolog/synosys.log | awk '{print $2" "$3}'|tail -1)

start_vpn()
{
echo "VPN is down. Attempting to (re)start now." >> $LogFile
/usr/syno/bin/synovpnc kill_client --protocol=openvpn --name=AirVPN_Name
echo 1 > /usr/syno/etc/synovpnclient/vpnc_connecting
echo conf_id=oxxxxxxxxxx > /usr/syno/etc/synovpnclient/vpnc_connecting
echo conf_name=AirVPN_Name >> /usr/syno/etc/synovpnclient/vpnc_connecting
echo proto=openvpn >> /usr/syno/etc/synovpnclient/vpnc_connecting
/usr/syno/bin/synovpnc reconnect --protocol=openvpn --name=AirVPN_Name >> $LogFile
}

echo "======================================" >> $LogFile
echo "$DATE $TIME" >> $LogFile
if ifconfig tun0 | grep -q "00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00"
then
echo "VPN is up since: $UPTIME" >> $LogFile
echo "Session Data RX: $RXDATA" >> $LogFile
echo "Session Data TX: $TXDATA" >> $LogFile
echo "VPN IP is: $IPADDR" >> $LogFile

if curl -s icanhazip.com
then
echo "WAN IP is: $PUBIP" >> $LogFile
else
start_vpn
fi
else
start_vpn
fi

exit 0

 

Please change the conf_id and AirVPN_Name with yours.

You also need to put the script in the scheduler to run every 5 minutes.

Let me know how it works for you. I also have two more scripts to manage the logs generated by this script.

[Mikeyy 49]

Thanks for the firewall list. I will try to implement it soon.

 

I am using the following script:

 

Please change the conf_id and AirVPN_Name with yours.

You also need to put the script in the scheduler to run every 5 minutes.

Let me know how it works for you. I also have two more scripts to manage the logs generated by this script.

I modified your script a bit, since it didn't reconnect if tun0 was up, but not working. This happens when VPN is active on Synology, but your router restarts. Then Synology is still reporting that VPN is up, but connection is broken and you can't connect to anything. Anyway, you can find script below with additional comments and variables:

#VPN Check script modified Aug 5, 2016
#Script checks if VPN is up, and if it is, it checks if it's working or not. It provides details like VPN is up since, data #received/sent, VPN IP & WAN IP.
#If VPN is not up it will report it in the log file and start it
#Change VPNID and VPNNAME to yours. SSH into Synology and run "cat /usr/syno/etc/synovpnclient/openvpn/ovpnclient.conf" to see your values.
#Save this script to file of your choosing (for example "synovpn_reconnect"). Store it in "/usr" folder of your Synology and chmod it: "chmod +x /usr/synovpn_reconnect"
#Edit "/etc/crontab" and add this line without quotes for starting script every 5 minutes: "*/5 *   *   *   *   root    /usr/synovpn_reconnect"
#After that restart cron with: "/usr/syno/sbin/synoservicectl --restart crond"

#!/bin/sh
DATE=$(date +"%F")
TIME=$(date +"%T")
VPNID="oXXXXXXXXXX"
VPNNAME="AirVPN"
LogFile="/volume1/home/user1/airvpn/check_airvpn_$DATE.log"
IPADDR=$(/sbin/ifconfig tun0 | grep 'inet addr' | cut -d: -f2 | awk '{print $1}')
PUBIP=$(curl -s -m 5 icanhazip.com)
CHECKIP=$(echo $PUBIP | grep -c ".")
#PUBIP=$(curl -s -m 5 ipinfo.io/ip)
#PUBIP=$(curl -s -m 5 ifconfig.me)
RXDATA=$(/sbin/ifconfig tun0 | grep "bytes:" | cut -d: -f2 | awk '{print $1,$2,$3}')
TXDATA=$(/sbin/ifconfig tun0 | grep "bytes:" | cut -d: -f3 | awk '{print $1,$2,$3}')
UPTIME=$(grep $IPADDR /var/log/synolog/synosys.log | awk '{print $2" "$3}'|tail -1)

start_vpn()
{
	echo "VPN is down. Attempting to (re)start now." >> $LogFile
	/usr/syno/bin/synovpnc kill_client --protocol=openvpn --name=$VPNNAME
	echo 1 > /usr/syno/etc/synovpnclient/vpnc_connecting
	echo conf_id=$VPNID > /usr/syno/etc/synovpnclient/vpnc_connecting
	echo conf_name=$VPNNAME >> /usr/syno/etc/synovpnclient/vpnc_connecting
	echo proto=openvpn >> /usr/syno/etc/synovpnclient/vpnc_connecting
	/usr/syno/bin/synovpnc reconnect --protocol=openvpn --name=$VPNNAME >> $LogFile
}

sleep 6
echo "======================================" >> $LogFile
echo "$DATE $TIME" >> $LogFile
if ifconfig tun0 | grep -q "00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00"
then
	if  [ "$CHECKIP" == 1 ]
	then
		echo "VPN is up since: $UPTIME" >> $LogFile
		echo "Session Data RX: $RXDATA" >> $LogFile
		echo "Session Data TX: $TXDATA" >> $LogFile
		echo "VPN IP is: $IPADDR" >> $LogFile
		echo "WAN IP is: $PUBIP" >> $LogFile
	else
		start_vpn
	fi
else
	start_vpn
fi
exit 0

[sundi 8]

Thanks for modifying the script. It will be helpful.

 

The issue regarding stale VPN session or when VPN is showing as connected where as router got restarted, the script actually takes care of that.

The following section in the script checks if VPN can fetch it's public IP from internet, if not, it will restart the VPN.

 

if curl -s icanhazip.com
then
echo "WAN IP is: $PUBIP" >> $LogFile
else
start_vpn

fi
else
start_vpn
fi

exit 0

 

Please see if works for you, as it works for me.

[Mikeyy 49]

Nope, it doesn't work, that's why I changed it. Curl waits forever for reply and script hangs.

I added "-m 5" to curl which means it will wait for max 5 seconds to get reply. Rest are mostly cosmetic changes.

[sundi 8]

Nope, it doesn't work, that's why I changed it. Curl waits forever for reply and script hangs.

I added "-m 5" to curl which means it will wait for max 5 seconds to get reply. Rest are mostly cosmetic changes.

That's strange, because it works for me. Curl gives me the correct WAN IP and if it does not then script disconnects and reconnects the VPN making sure there is no stale session and VPN is able to get to the internet.

I will also test your script and will get back to you